Comments

This is only a feature for boxes that are in a secure location. Anywhere else, someone who’s alone with your machine could reboot it and get root!

For machines that are not in a secure location, you should edit “/etc/ttys” and mark the console as insecure. Then, after you reboot (or HUP init), no one can go to single-user mode without first entering the root password. … Bad for lost passwords, but good for security. :)

It happened to me once and it was quite complicated to discover this even though it’s similar to linux. I agree you should put the console as insecure but then what? You can use a boot cd with a portable cd drive so the box is more protected. Any other ideas?

When someone has physical access to your computer it is also possible to get around the password in single user mode by using a livecd > mount the system partition and change the password hash in /etc/shadow.
So I would also suggest to set a boot password in the BIOS so one would need to reset the bios chip on the motherboard to be able to boot a live medium.

Nothing is completely safe but we can try to make it as hard as possible ;)